Total
1070 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-2095 | 1 Jenkins | 1 Redgate Sql Change Automation | 2024-08-04 | 4.3 Medium |
| Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | ||||
| CVE-2020-2078 | 1 Sick | 1 Package Analytics | 2024-08-04 | 6.5 Medium |
| Passwords are stored in plain text within the configuration of SICK Package Analytics software up to and including V04.1.1. An authorized attacker could access these stored plaintext credentials and gain access to the ftp service. Storing a password in plaintext allows attackers to easily gain access to systems, potentially compromising personal information or other sensitive information. | ||||
| CVE-2020-0540 | 1 Intel | 1 Active Management Technology Firmware | 2024-08-04 | 7.5 High |
| Insufficiently protected credentials in Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable information disclosure via network access. | ||||
| CVE-2021-46440 | 1 Strapi | 1 Strapi | 2024-08-04 | 7.5 High |
| Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks. | ||||
| CVE-2021-45892 | 1 Zauner | 1 Arc | 2024-08-04 | 5.9 Medium |
| An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4. There is storage of Passwords in a Recoverable Format. | ||||
| CVE-2021-45097 | 1 Knime | 1 Knime Server | 2024-08-04 | 2.9 Low |
| KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content. | ||||
| CVE-2021-44451 | 1 Apache | 1 Superset | 2024-08-04 | 6.5 Medium |
| Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher. | ||||
| CVE-2021-43978 | 1 Allegro | 1 Allegro | 2024-08-04 | 7.1 High |
| Allegro WIndows 3.3.4152.0, embeds software administrator database credentials into its binary files, which allows users to access and modify data using the same credentials. | ||||
| CVE-2021-43767 | 1 Postgresql | 1 Postgresql | 2024-08-04 | 5.9 Medium |
| Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL. | ||||
| CVE-2021-43397 | 1 Liquidfiles | 1 Liquidfiles | 2024-08-04 | 8.8 High |
| LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sysadmin. | ||||
| CVE-2021-43332 | 2 Debian, Gnu | 2 Debian Linux, Mailman | 2024-08-04 | 6.5 Medium |
| In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack. | ||||
| CVE-2021-42913 | 1 Samsung | 3 Scx-6555, Scx-6555n, Syncthru Web Service | 2024-08-04 | 7.5 High |
| The SyncThru Web Service on Samsung SCX-6x55X printers allows an attacker to gain access to a list of SMB users and cleartext passwords by reading the HTML source code. Authentication is not required. | ||||
| CVE-2021-42306 | 1 Microsoft | 4 Azure Active Directory, Azure Active Site Recovery, Azure Automation and 1 more | 2024-08-04 | 8.1 High |
| An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry. | ||||
| CVE-2021-42023 | 1 Siemens | 2 Modelsim, Questa | 2024-08-04 | 6.5 Medium |
| A vulnerability has been identified in ModelSim Simulation (All versions), Questa Simulation (All versions). The RSA white-box implementation in affected applications insufficiently protects the built-in private keys that are required to decrypt electronic intellectual property (IP) data in accordance with the IEEE 1735 recommended practice. This could allow a sophisticated attacker to discover the keys, bypassing the protection intended by the IEEE 1735 recommended practice. | ||||
| CVE-2021-41972 | 1 Apache | 1 Superset | 2024-08-04 | 6.5 Medium |
| Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way. | ||||
| CVE-2021-41125 | 2 Debian, Scrapy | 2 Debian Linux, Scrapy | 2024-08-04 | 5.7 Medium |
| Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`. | ||||
| CVE-2021-41092 | 2 Docker, Fedoraproject | 2 Command Line Interface, Fedora | 2024-08-04 | 5.4 Medium |
| Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. For users unable to update ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH. | ||||
| CVE-2021-41023 | 2 Fortinet, Microsoft | 2 Fortisiem, Windows | 2024-08-04 | 5.5 Medium |
| A unprotected storage of credentials in Fortinet FortiSIEM Windows Agent version 4.1.4 and below allows an authenticated user to disclosure agent password due to plaintext credential storage in log files | ||||
| CVE-2021-40857 | 1 Auerswald | 20 Commander 6000r Ip, Commander 6000r Ip Firmware, Commander 6000rx Ip and 17 more | 2024-08-04 | 8.8 High |
| Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation via the passwd=1 substring. | ||||
| CVE-2021-40476 | 1 Microsoft | 18 Windows 10, Windows 10 1507, Windows 10 1607 and 15 more | 2024-08-04 | 7.5 High |
| Windows AppContainer Elevation Of Privilege Vulnerability | ||||